Sadly, I am always amazed when the leader of a country is thoughtful and articulate. Recently, Toomas Hendrik Ilves, President of Estonia, spoke at the International Conference on Cyber Conflict. He characterizes the very different view of the Internet between democracies and authoritarian states, with excellent references to history. Clear, succinct, articulate - a true thought-leader.

  • President of Estonia: Cyber-security and liberal democracies
    “The world is not clearly divided into two camps on this matter. Between the US, the EU and like-minded nations at one end of the spectrum, and authoritarian countries at the other extreme, a large number of countries sit on the fence on the issue of the future architecture of the internet. They have legitimate concerns about internet governance, so we must focus our attention on their needs while reassuring them about our actions and intentions. I would conclude with five observations on how to proceed:”

There were other items of interest to the identity community, including the ongoing IDMaaS discussion and commentary on the massive password breaches at LinkedIn and others:


  • Kim Cameron: Freedom of choice != Your choice of captor
    “Nishant goes on to give more examples of how he thinks Office 365 could be implemented.  I won’t discuss those at this point since I think we should save our implementation discussions for later.  First we need a more thorough conversation about what IdMaaS actually involves given all the changes that are impacting us.  It is these definitions that must lead to implementation considerations.  I hope Nishant will bear with me on this so we can continue the discussion begun so far.”
  • Nishant Kaushik: It's All About When The Rubber Meets The Road
    “What I was pointing out was that John Shewchuk's post about WAAD seemed to indicate a lack of Freedom of Choice in what Microsoft is rolling out, at least right now. Becoming an Office 365 customer would "automatically create a new Windows Azure Active Directory that is associated with the Office 365 account", forcing you to store and manage your identities in WAAD. It should simply ask for the domain from which users could use this, and you could simply point to the Google Apps domain of your company, sign up for WAAD if needed, or grant access to contractors/partners using whatever identity they choose (traditional AD environment, Facebook or Twitter accounts, even personal OpenIDs). By the way, the governance controls I was talking about are essential here in order to define the process of granting, managing and taking away access in this deployment model.”
  • Kim Cameron: Governance is key
    “Let me explain what I had in mind as a way to achieve some depth in this discussion.  It seemed to me we need to decompose the overall service capabilities, rather than trying to discuss “everything simultaneously”.  I started by trying to talk about the IdM models that have led us to the current point in time, in order to set the stage for the exploration of the new emerging model of  Identity Management as a Service and its capabilities, as illustrated in this graphic: “
  • John Fontana: Hello! I’m drunkdadwithshotgun
    “The rest of the profile is a train wreck. I am listed with a middle initial - I don’t have a middle name. I’m listed as a resident of a city I haven’t lived in for nearly 20 years. My profile picture shows a dog - the last dog I had died in 1972. My age is off by 15 years. There are more than a dozen “relatives” listed, none of which I know.”
    [On the Internet, no one knows you’re not a dog.]
  • Anil Saldhana: LinkedIn has a wake up call
    “I have been a LinkedIn member since inception. It feels like close to decade+. I respect and utilize their services on a daily basis. Their advances in technology primarily big data analytics impresses me. But when customers/users provide you their information, then it is of utmost importance to safeguard it. LinkedIn failed to do that. But they are not alone. Everyday, we hear some data breach. The fundamental problem is that there is no easy way to secure anything. Passwords are useful to achieve the minimum level of security, with minimum set up. But they are not the best forms of security. Working toward preventing data breaches should be part of a daily routine.”
  • LinkedIn: An Update On Taking Steps To Protect Our Members
    “We want to be as transparent as possible while at the same time preserving the security of our members without jeopardizing the ongoing investigation. In this post, we want to address questions we’ve been receiving and share what we’ve learned so far about the incident, how we’ve responded, and what we’re doing to protect our members going forward.”
  • Craig Burton: LinkedIn Hacked—More Reason for IdM in the Cloud
    “The sooner we can start building on an Identity Metasystem design, the better. Even scarier than LinkedIn being hacked — you can almost guarantee that many other cloud-based services you are using have a similar “yet-another-funky-id-system” design for IdM. Scarier still — these systems probably won’t get fixed until they are compromised.”
  • Thomas Pedersen: Lessons For CIOs From The LinkedIn Password Hack
    “Fortunately, there are ways enterprises can protect themselves against weak passwords. The best way is to completely eliminate passwords in Web applications. This can effectively be done using a standards-based protocol called Security Assertion Markup Language (SAML), which is rapidly gaining traction with both enterprises and cloud application vendors. Most of the major cloud applications support SAML today, and emerging players are implementing SAML toolkits early in order to make their applications more secure and to encourage adoption within large enterprises as well as smaller organizations like those in the financial services industry which often face stringent regulatory and compliance issues, regardless of their size.”
  • John Fontana: In the sad world of passwords, we’re engrossed in the wrong movie
    “It’s not the passwords, folks. The infrastructure is broken. What’s that phrase about insanity and trying the same thing over and over?”
  • CIS Series. Daniel Headrick: Woe is the enterprise security boundary
    “Headrick believes the industry should be farther along than it is with a trusted identity model; one that is not bound by federations that are negotiated and built in a point-to-point fashion. He says the way in which IT expects the perimeter to protect data should already be shifting.”
  • Phil WIndley: Personal Channels
    “Drummond Reed and I have just released a whitepaper describing how personal clouds can be linked together in a decentralized relationship network to create a sharing architecture that has tremendous power and extraordinary benefits.”
  • Mike Desai: Three Reasons why the Midmarket is Full-Throttle on Cloud
    “Fun aside, conversations throughout the event centered on cloud computing and cloud apps. There's no doubt the midmarket is driving the adoption of cloud computing, more so than their enterprise brethren. This presents a vibrant opportunity for Software as a Service (SaaS) providers. Three common threads kept popping up, whether in formal conversations in the booth, in the hallways between educational sessions or in after-hours festivities.  Let's spend some time examining them:”
  • Francois Lascelles: Mobile-Friendly Federated Identity: Part 1 – The Social Login Legacy
    “If I were to measure the success of a federated identity system, I would consider the following factors: End user experience; How easy it is for a relying party to participate; How well it meets security requirements. I get easily frustrated when subjected to bad user experience regarding user login and Single Sign-On but I also recognize apps that get this right. In this first part of a series on the topic of mobile-friendly federated identity, I would like to identify winning patterns associated with the social login trend.”
  • Federated ID: An Idea Whose Time Never Came?
    “So what's the problem? For companies short on time, manpower and money - a description that fits many organizations caught in the current economic slowdown - federated ID remains something many would like to adopt if not for the costs and logistical nightmares involved.”
    [Even though Ping is doing quite well, thank you, with our point-to-point federation product, PingFederate, we've talked with customers about issues around scale, which is why we offer our connect once, go everywhere service, PingOne. We offer a choice, and they work better, together.]
  • Anil John: If You Don't Plan For User Enrollment Now, You'll Hate Federation Later
    “User enrollment (a.k.a. user activation, user provisioning, account mapping) into a relying party (RP) application is one of those pesky details that is often glossed over in identity federation conversations. But this piece of the last mile integration with the relying party is fundamental to making identity federation work. This blog post describes this critical step and its components.”


  • How LinkedIn Missed Out
    [Neil A. Wilson, UnboundID, lists all the characteristics of a well-designed password based authentication system. Excellent advice. However, Ping’s Ian Barnett shared an article with me about how modern graphics processing units can even crack salted hashes. So now hashing using bcrypt and its cousins is the recommended best practice.]
  • Password dump checking
    “Leaks of (badly secured) password files seem to be big news at the moment. In many cases people set up sites to allow you to see if your password was in the leak – but who knows whether these sites are trustworthy. That’s not a risk I’m happy to take.

    Python provides a reasonably simple way to test:

    >>> import hashlib
    >>> h =‘sha1′)
    >>> h.update(‘password‘)
    >>> h.hexdigest()

Cloud Computing

  • TechEd: Microsoft is Really Serious About the Cloud
    “Microsoft (NASDAQ: MSFT) this week is hosting TechEd North America 2012, and from both the official releases and the press commentary, I get the sense that Redmond is fully vested in its transformation from traditional software/OS giant to contemporary cloud contender. Whether you feel nostalgic about the end of the PC era, or Microsoft was the monopolist you loved to hate, take a good long look — the company we once knew is going to change forever. This is the era of the cloud.”
  • ‘US Ignite’ Will Create Ultra-Fast Experimental Broadband Networks
    “The White House has launched a public-private partnership aiming to build ultra high-speed broadband networks in communities around the U.S. Unveiled Thursday, it’s called US Ignite. The NSF is committing $20 million to the development of the new networks. It’s also co-hosting a $500,000 competition along with Mozilla Foundation and the Department of Energy for coders developing high-speed apps using the new networks.”
  • U.S. unveils single standard for cloud-computing services
    “The General Services Administration earlier this week unveiled a single authentication standard for government cloud-computing services. The Federal Risk and Authorization Management Program, known as FedRAMP, will standardize the basic security requirements that cloud-computing providers, such as Google and Microsoft, will have to meet before receiving government contracts. The new guidelines will require contractors to hire third-party assessment organizations that will verify whether they meet the basic security requirements.”
  • AWS now stores 1 trillion objects in S3
    “To get a concept of how big a trillion is, Amazon’s Jeff Barr in a blog post announcing the new peak calls on the following examples: “That’s 142 objects for every person on Planet Earth or 3.3 objects for every star in our Galaxy. If you could count one object per second it would take you 31,710 years to count them all.” I recently heard TED founder Richard Saul Wurman discuss the national debt by noting that in order to reach a trillion-dollar debt, you’d have to lose $1 million a day every day for about 2,739 years.”
  • Worldwide LHC Computing Grid: Federated Identity Management Vision
    “A collaborative effort started in June 2011. Involves photon & neutron facilities, social science & humanities, high-energy physics, climate science and life sciences, fusion energy.”
  • Integral Federated Identity Management for Cloud Computing
    “Cloud computing environments may offer different levels of abstraction to its users. Federated identity management, though, does not leverage these abstractions; each user must set up her identity management solution. This situation is further aggravated by the fact that no identity federation solution is able to integrate all abstraction layers (i.e. IaaS, PaaS, and SaaS). In this paper we describe a new architecture offering integral federated identity management, to support multi-domain clients in a multi-provider environment. We also present some implementation details. The proposed architecture offers significant advantages over current offerings: it eases identity management without losing flexibility, offers better user tracking through the whole cloud computing layers, and enables the implementation of multi-provider environments through account data replication.”

Valuable Identity

  • Bruce Schneier: High-Quality Fake IDs from China
    “The only real solution here is to move the security model from the document to the database. With online verification the document matters much less, because it is nothing more than a pointer into a database. Think about credit cards.”
  • Anil John: FIPS 201 Evaluation Program Industry Session Followup
    “The industry feedback day was very well attended, and we thank everyone for the constructive feedback you provided. Below is a recap of the main points that were touched upon during the session:”
  • Isis Fees Give Issuers Pause
    “In another excellent NFC Times article (hat tip!), the costs for card payment credential storage on an Isis-managed NFC smartphone are discussed. And they aren't cheap. At $5 per year per card, that is significantly more expensive per account than a standard card which the issuer has to provide as well. The Isis proposition to the issuer is, of course, that their customers are headed to an all mobile payments world with tap-and-go payments at the center of that activity and if the issuer wants to see transactions from that new world, it better get on board. The issuers are balking at the price.”
  • Scott Loftesness: My Take: Apple’s New Passbook
    “Passbook represents a new, operating system-level feature that pulls together storage of these kinds of items in a new way – instead of having your airline boarding pass, for example, tucked away inside your airline’s mobile app on the fourth screen of your iPhone, Passbook provides the mechanism (through a new developer interface called Pass Kit) for the airline’s app developers to much more conveniently store your boarding place in a system-level application that’s more readily available – one which can even be automatically triggered to be on the lock screen of your phone when you walk into a venue.”


* Required Fields